1. 21

  2. 3

    One thing that I would like to see, is how the CA can be restricted to the .internal TLD.

    That way if I ask other people to add the CA on their machine, they can be confident that my network will not MITM their traffic.

    1. 1

      I work at smallstep and we’re partnering with yubico to give away five build kits for this project. DM us at @smallsteplabs on twitter to enter. See also: https://twitter.com/smallsteplabs/status/1341800787291168768

      1. 2

        Is there any support for the Nitrokey (HSM) keys in smallstep / step-ca ?

        1. 2

          @sigio, it appears Nitrokey support PKCS# 11. Right now we have native support for AWS KMS, Yubi, and GCP KMS. We will be releasing full PKCS# 11 support in the next month. While not everyone follows that standard, it should be plug and play at that point. If you have other questions or would like me to ping you when support is available hit me up at maxey at Smallstep dot com.

        2. 1

          Nice! I started using step-cli at work for setting up all our development env’s for web application/server development to have a trusted TLS setup and I really like it, as it’s a lot better then openssl :)

          I’ve also figured out you can generate s/mime certificates with step-cli which was neat, the only thing which is still lacking is pfx/pcks12 support. (But that’s pretty obscure anyway :P)

        3. 1

          Cool! I’ve done some experimentation with step-ca to provide TLS in my home lab, using ACME (it was really easy, I pretty much followed this blog entry).

          This setup looks even neater, but too bad you have to compile it yourself. Having an ARM container image would also be awesome, but I’ve been too lazy to fix it myself. :)

          1. 2

            ARM is on our list and given the success of this tiny ca post, it’s likely getting bumped up in priority next week :).

            1. 2

              ARM will work fine, but it’ll be very slow since go crypto isn’t hardware accelerated on ARM quite yet :)

              1. 2

                Well, if you run anything on a RPi/similar your might not be expecting grand performance :-)

              2. 1

                Great to hear that! I run mine in a FreeBSD jail (x86-64) since it was the easiest way to test it with, but would happily move to some SBC if possible.